Seclog - #137


"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War
๐ฐ SecLinks
Cloud Build Race Condition Bypass โ A subtle race condition in Google Cloud Build's GitHub integration could bypass maintainer review for pull request tests, highlighting critical access control risks in CI/CD systems. Read More
CrushFTP RCE via DMZ Proxy Flaw โ CVE-2025-54309 exploited security check failures in CrushFTP's DMZ proxy, bypassing protections for the internal admin server. Read More
Hijacking Multi-Agent System Risks โ Multi-agent systems (MASs) face failures from unknown components, paralleling distributed system vulnerabilities, enabling new exploit avenues. Read More
PyPI Phishing Attack Incident Report โ A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More
AI Prompt Injection Risks and Mitigation โ With rising LLM adoption, prompt injection poses new threats; an example illustrates real-world exploitation and defensive strategies. Read More
Pixel 8 Kernel Debugging via KGDB Guide โ Techniques include building custom kernels, breaking into KGDB using ADB or serial connections, and attaching GDB for debugging. Read More
Semgrep Adoption Strategies and MAS Risks โ Introducing Semgrep requires organizational planning for security gains, while multi-agent systems face distributed failure risks akin to traditional infrastructure. [Read More](https://blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/?ref=log.rosecurify.com
TerraMaster NAS Firmware Extraction to RCE โ Firmware extraction and PHP analysis led to remote code execution on TerraMaster NAS devices, starting from an IoT security research idea. Read More
Gemini CLI Silent Code Execution Risk โ A silent attack on Gemini CLI combined improper validation, prompt injection, and misleading UX to execute malicious commands during untrusted code inspection. Read More
Critical Base44 Vulnerability Exposes Private Apps โ A flaw in the AI "vibe coding" platform Base44 allowed unauthorized access to users' private applications, identified by Wiz Research. Read More
PyPI Phishing Attack Incident Report โ A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More
๐ป SecGit
rb-x/penflow: A visual methodology tracking platform tailored for offensive security assessments
Proton's Lumo AI Assistant Prompt โ Defines a cat-like, upbeat AI personality with guidelines for curiosity and respectful user interactions. Explore on GitHub
Java RMI Vulnerability Scanner Tool โ Remote-Method-Guesser identifies and exploits vulnerabilities in Java RMI services efficiently. Explore on GitHub
Amazon MWAA Remote Code Execution โ Details an RCE vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA). Explore on GitHub
S3DNS: Cloud Bucket Discovery Tool โ Acts as a DNS server to identify AWS/GCP/Azure buckets, following CNAMEs and matching patterns during surfing. Explore on GitHub
CVE.ICU Project Code Release โ Hosts the source code for the CVE.ICU initiative, though specifics remain sparse from the highlight. Explore on GitHub
Pwnat: Firewall/NAT Hole-Punching โ Exploits NAT translation tables to connect clients/servers behind separate NATs without third-party tools. Explore on GitHub
For suggestions and any feedback, please contact: securify@rosecurify.com
Subscribe to my newsletter
Read articles from Rosecurify directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
